CVE-2026-2614: MLflow: path traversal allows unauthenticated file read

GHSA-42h5-h8qh-vv9v HIGH CISA: TRACK*
Published May 11, 2026
CISO Take

MLflow's model version creation handler contains a path traversal flaw that allows any unauthenticated attacker with network access to the MLflow tracking server to read arbitrary files from its filesystem. The exploit requires a single crafted API request — no credentials, no prior access — making exploitation trivially achievable by a script-kiddie once the attack primitive is published. MLflow servers in typical MLOps environments hold or have access to cloud provider credentials, API keys in environment files, model weights, and proprietary training data, meaning a successful read can cascade into full cloud account compromise. Organizations should upgrade to MLflow 3.10.0 immediately; if patching cannot be done today, restrict MLflow server network exposure to trusted IP ranges only and audit recent model version creation logs for source paths outside the expected model artifact directories.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

HIGH for any organization running MLflow ≤ 3.9.0 with a network-reachable tracking server. The authentication bypass is complete — zero credentials required — and the exploit primitive is explicit from the CVE description, meaning weaponization time is measured in hours once public attention lands on this. MLflow's typical deployment posture (internal data-center or VPC with assumed-safe network perimeter) creates a false sense of security; lateral movement from a compromised internal host or a misconfigured security group is sufficient to reach these servers. No CVSS score is assigned yet, but the attack vector (network), privileges required (none), and impact (complete confidentiality loss) place this firmly in the 9.x Critical range under standard scoring.

How does the attack unfold?

Target Identification
Attacker discovers a network-accessible MLflow tracking server, which requires no authentication in default configurations.
AML.T0006
Validation Bypass
Attacker sends an unauthenticated CreateModelVersion API request including the tag `mlflow.prompt.is_prompt` with an arbitrary filesystem path (e.g., `/home/mlflow/.aws/credentials`) as the model version source, bypassing source path validation.
AML.T0049
File Exfiltration
Attacker requests the model version artifact via the artifact handler endpoint; the server serves the targeted file verbatim without re-validating the model version's prompt status.
AML.T0025
Credential Harvest & Pivot
Attacker uses exfiltrated cloud credentials or API keys to access downstream infrastructure — S3 buckets, GCS, model registries — containing proprietary model weights and training datasets.
AML.T0055

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip < 3.10.0 3.10.0
26.7K OpenSSF 5.4 655 dependents Pushed 6d ago 31% patched ~76d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 48% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

1 step
  1. 1) Upgrade to MLflow 3.10.0 immediately — this is the only complete fix. 2) If immediate patching is blocked, restrict network access to the MLflow tracking server to explicitly allowlisted IP ranges; do not rely on VPC perimeter as sole control. 3) Review MLflow server process privileges and ensure it runs under a dedicated service account with minimal filesystem permissions (no access to ~root, ~/.ssh, ~/.aws). 4) Audit model version creation events in MLflow logs from the past 90 days; flag any CreateModelVersion requests where the source field contains paths outside expected artifact directories (e.g., /etc/, /home/, ~/.aws/, /var/secrets/). 5) Rotate all credentials that may have been accessible to the MLflow server process — cloud API keys, database passwords, service account tokens. 6) Enable authentication on MLflow tracking servers if not already in place; the default MLflow configuration ships with no authentication.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.5 - Data acquisition and preparation safeguards A.9.3 - Information about AI system functioning
NIST AI RMF
GOVERN 6.2 - Organizational risk management policies cover AI risk MANAGE 1.3 - Responses to AI risks and adverse impacts
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-2614?

MLflow's model version creation handler contains a path traversal flaw that allows any unauthenticated attacker with network access to the MLflow tracking server to read arbitrary files from its filesystem. The exploit requires a single crafted API request — no credentials, no prior access — making exploitation trivially achievable by a script-kiddie once the attack primitive is published. MLflow servers in typical MLOps environments hold or have access to cloud provider credentials, API keys in environment files, model weights, and proprietary training data, meaning a successful read can cascade into full cloud account compromise. Organizations should upgrade to MLflow 3.10.0 immediately; if patching cannot be done today, restrict MLflow server network exposure to trusted IP ranges only and audit recent model version creation logs for source paths outside the expected model artifact directories.

Is CVE-2026-2614 actively exploited?

No confirmed active exploitation of CVE-2026-2614 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2614?

1) Upgrade to MLflow 3.10.0 immediately — this is the only complete fix. 2) If immediate patching is blocked, restrict network access to the MLflow tracking server to explicitly allowlisted IP ranges; do not rely on VPC perimeter as sole control. 3) Review MLflow server process privileges and ensure it runs under a dedicated service account with minimal filesystem permissions (no access to ~root, ~/.ssh, ~/.aws). 4) Audit model version creation events in MLflow logs from the past 90 days; flag any CreateModelVersion requests where the source field contains paths outside expected artifact directories (e.g., /etc/, /home/, ~/.aws/, /var/secrets/). 5) Rotate all credentials that may have been accessible to the MLflow server process — cloud API keys, database passwords, service account tokens. 6) Enable authentication on MLflow tracking servers if not already in place; the default MLflow configuration ships with no authentication.

What systems are affected by CVE-2026-2614?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registries, training pipelines, experiment tracking infrastructure.

What is the CVSS score for CVE-2026-2614?

CVE-2026-2614 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.70%.

What is the AI security impact?

Affected AI Architectures

MLOps platformsmodel registriestraining pipelinesexperiment tracking infrastructure

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.2.5, A.9.3
NIST AI RMF: GOVERN 6.2, MANAGE 1.3
OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a `CreateModelVersion` request includes the tag `mlflow.prompt.is_prompt`, which bypasses source path validation. This enables an attacker to store an arbitrary local filesystem path as the model version source. The `get_model_version_artifact_handler()` function later uses this source to serve files without verifying the model version's prompt status, leading to a complete confidentiality compromise. This issue is fixed in version 3.10.0.

Exploitation Scenario

An attacker targeting an organization's ML infrastructure performs reconnaissance and identifies a publicly reachable or internally accessible MLflow tracking server (common in developer environments, CI/CD pipelines, or misconfigured VPCs). Without any credentials, the attacker sends a POST request to the MLflow REST API to create a model version, embedding the tag `mlflow.prompt.is_prompt` and setting the source field to a sensitive filesystem path such as `/home/mlflow/.aws/credentials` or `/etc/environment`. The source path validation check is bypassed because the presence of the prompt tag triggers a code path that skips path sanitization. The attacker then issues a GET request to retrieve the model version's artifacts, and the `get_model_version_artifact_handler()` serves the file contents verbatim without re-validating the model version's prompt status. The attacker now holds cloud credentials and can pivot to S3 buckets, GCS, or Azure Blob Storage containing proprietary model weights and training datasets.

Weaknesses (CWE)

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

Published
May 11, 2026
Last Modified
July 2, 2026
First Seen
May 11, 2026

Related Vulnerabilities